1. Field of the Invention
The present invention relates to a storage system in which a client and a storage device are connected via a network.
2. Description of Related Art
A SAN (Storage Area Network) is known as a storage system in which a client and a storage device are connected via a network. The SAN comprises a SAN fabric that uses an FC (Fiber Channel) protocol for communication. The client uses SCSI (Small Computer Systems Interface) commands to access the storage device. An example of the SAN configuration is described in “Building Storage Networks SECOND EDITION” (ISBN 0-07-213072-5, pp. 23-30) published by OSBORNE, Inc., 2001.
In order to prevent an unauthorized access from a client having no access privilege, the SAN uses a zoning capability as shown in FIG. 27 to map a logical volume 13 in a storage device 11 with an FC port 12. The mapping between the logical volume 13 and the FC port 12 allows access to the logical volume 13 only for the client 21 that is permitted to connect with the FC port 12. A client 22 not connected to the FC port 12 cannot access the logical volume 13.
As networks, there are known a LAN (Local Area Network) a MAN (Metropolitan Area Network), and a WAN (Wide Area Network). For these networks, there are widely used network protocols such as Ethernet, ATM (Asynchronous Transfer Mode), and IP (Internet Protocol) all of which are registered trademarks. The iSCSI protocol is known as an access to a storage device connected to the LAN/MAN/WAN directly or via the SAN. The iSCSI protocol interchanges SCSI commands on a network protocol and enables an access to the storage in units of blocks. The detail of the iSCSI protocol is described in “iSCSI” (draft-ietf-ips-iscsi) published by IETF.
To prevent an unauthorized access, the iSCSI specifies protocols concerning login authentication, but no protocols concerning data protection on LAN/MAN/WAN communication paths. A LAN/MAN/WAN requires security countermeasures against an unauthorized access or wire tapping because an unspecified number of clients can connect with the network. A VPN (Virtual Private Network) is known as a countermeasure to prevent unauthorized access or wire tapping.
The VPN technology provides a network protocol constituting a private network used in the LAN for the payload portion of another network protocol used in the LAN/MAN/WAN. The VPN thus virtually forms one private network's area between private networks in remote locations. When the VPN is provided for the LAN/MAN/WAN, traffic of the relevant VPN can be distinguished from the other traffic. As a result, it is possible to prevent unauthorized access or wire tapping from terminals other than those on the VPN and ensure security. There are different types of VPNs for network protocols. Different types of VPNs maintain no connectivity. When different domains manage the same types of VPNs, a connection becomes difficult. For this reason, it is proposed to use a unified identifier, i.e., a VPN-ID. VPN-IDs are described in detail in “Virtual Private Networks Identifier” (RFC2685) published by IETF.
iSCSI uses IPsec as an example of the system for protecting data on LAN/MAN/WAN communication paths. IPsec is specified so as to separate the authentication or encryption algorithm or the key management mechanism from the protocol itself and enable the support of various algorithms. Accordingly, IPsec comprises a plurality of protocols. The IPsec security is characterized by protection of data against tampering and leakage. IPsec can establish communication if the connection source and destination clients comply with IPsec and an intermediary network supports the IP. Accordingly, there is an advantage of providing a wide applicable range without the need for special apparatus. When the IPsec security is used for iSCSI to perform authentication, the client can access the storage via LAN/MAN/WAN. IPsec architecture is described in detail in “Security Architecture for the Internet Protocol” (RFC2401).
The SAN's zoning capability limits the number of logical volumes for the storage device to the number of FC ports. However, there is an operational problem because the storage device is actually used by a small number of clients.
The above-mentioned prior art has the following problems.
When a client accesses the storage via the LAN/MAN/WAN, the SAN and the LAN/MAN/WAN need to ensure security. The SAN can ensure security by using its zoning capability. The LAN/MAN/WAN can ensure the security by combining iSCSI with a data protection system on communication paths. However, IPsec cannot guard against “disguise” and is not versatile for all network environments. For example, a client may access the storage from a wide area via networks that cannot ensure the security or the line quality. In such case, each network must use an appropriate data protection system in order to provide the client with a more secure and reliable access. Consequently, the VPN needs to comprise not only a single type, but also a plurality of types.
When the client accesses the storage via the LAN/MAN/WAN, a volume needs to be allocated to each client. iSCSI can allow a plurality of clients to access the FC port, but has no capability to allocate a logical volume to each client. Although it is possible to improve the scalability of the number of connectable clients, there remains a problem of improving the scalability of the number of logical volumes.